X.509 certificate handling. More...
#include "ike/ike.h"
#include "ike/ike_certificate.h"
#include "ike/ike_payload_parse.h"
#include "encoding/asn1.h"
#include "encoding/oid.h"
#include "pkix/pem_import.h"
#include "pkix/x509_cert_parse.h"
#include "pkix/x509_cert_validate.h"
#include "debug.h"
Go to the source code of this file.
Macros | |
#define TRACE_LEVEL IKE_TRACE_LEVEL | |
Functions | |
error_t ikeGetCertificateType (const X509CertInfo *certInfo, IkeCertType *certType) | |
Retrieve the certificate type. More... | |
error_t ikeGetCertSubjectDn (const char_t *cert, size_t certLen, uint8_t *subjectDn, size_t *subjectDnLen) | |
Extract subject's DN from certificate. More... | |
error_t ikeFormatCertAuthorities (const char_t *trustedCaList, size_t trustedCaListLen, uint8_t *certAuth, size_t *certAuthLen) | |
Format list of acceptable certification authorities. More... | |
bool_t ikeIsDuplicateCa (const uint8_t *certAuth, size_t certAuthLen, const uint8_t *digest) | |
Test whether the provided SHA-1 digest value is a duplicate. More... | |
error_t ikeParseCertificateChain (IkeSaEntry *sa, IpsecPadEntry *padEntry, const uint8_t *message, size_t length) | |
Parse certificate chain. More... | |
error_t ikeValidateCertificate (IkeSaEntry *sa, IpsecPadEntry *padEntry, const X509CertInfo *certInfo, uint_t pathLen) | |
Verify certificate against root CAs. More... | |
error_t ikeCheckKeyUsage (const X509CertInfo *certInfo) | |
Check certificate key usage. More... | |
Detailed Description
X.509 certificate handling.
License
SPDX-License-Identifier: GPL-2.0-or-later
Copyright (C) 2022-2024 Oryx Embedded SARL. All rights reserved.
This file is part of CycloneIPSEC Open.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- Version
- 2.4.4
Definition in file ike_certificate.c.
Macro Definition Documentation
◆ TRACE_LEVEL
#define TRACE_LEVEL IKE_TRACE_LEVEL |
Definition at line 32 of file ike_certificate.c.
Function Documentation
◆ ikeCheckKeyUsage()
error_t ikeCheckKeyUsage | ( | const X509CertInfo * | certInfo | ) |
Check certificate key usage.
- Parameters
-
[in] certInfo Pointer to the X.509 certificate
- Returns
- Error code
Definition at line 811 of file ike_certificate.c.
◆ ikeFormatCertAuthorities()
error_t ikeFormatCertAuthorities | ( | const char_t * | trustedCaList, |
size_t | trustedCaListLen, | ||
uint8_t * | certAuth, | ||
size_t * | certAuthLen | ||
) |
Format list of acceptable certification authorities.
- Parameters
-
[in] trustedCaList List of trusted CA (PEM format) [in] trustedCaListLen Total length of the list [out] certAuth List of SHA-1 hashes of the public keys of trusted CAs [in,out] certAuthLen Actual length of the list, in bytes
- Returns
- Error code
Definition at line 287 of file ike_certificate.c.
◆ ikeGetCertificateType()
error_t ikeGetCertificateType | ( | const X509CertInfo * | certInfo, |
IkeCertType * | certType | ||
) |
Retrieve the certificate type.
- Parameters
-
[in] certInfo X.509 certificate [out] certType Certificate type
- Returns
- Error code
Definition at line 56 of file ike_certificate.c.
◆ ikeGetCertSubjectDn()
error_t ikeGetCertSubjectDn | ( | const char_t * | cert, |
size_t | certLen, | ||
uint8_t * | subjectDn, | ||
size_t * | subjectDnLen | ||
) |
Extract subject's DN from certificate.
- Parameters
-
[in] cert Certificate (PEM format) [in] certLen Length of the certificate [out] subjectDn Buffer where to copy the X.500 distinguished name [out] subjectDnLen Length of the X.500 distinguished name
- Returns
- Error code
Definition at line 205 of file ike_certificate.c.
◆ ikeIsDuplicateCa()
bool_t ikeIsDuplicateCa | ( | const uint8_t * | certAuth, |
size_t | certAuthLen, | ||
const uint8_t * | digest | ||
) |
Test whether the provided SHA-1 digest value is a duplicate.
- Parameters
-
[in] certAuth List of SHA-1 hashes of the public keys of trusted CAs [in] certAuthLen Length of the list, in bytes [in] digest SHA-1 digest to be checked for duplicate value
- Returns
- TRUE if the SHA-1 digest value is a duplicate, else FALSE
Definition at line 410 of file ike_certificate.c.
◆ ikeParseCertificateChain()
error_t ikeParseCertificateChain | ( | IkeSaEntry * | sa, |
IpsecPadEntry * | padEntry, | ||
const uint8_t * | message, | ||
size_t | length | ||
) |
Parse certificate chain.
- Parameters
-
[in] sa Pointer to the IKE SA [in] padEntry Pointer to the PAD entry [in] message Pointer to the received IKE message [in] length Length of the IKE message, in bytes
- Returns
- Error code
Definition at line 445 of file ike_certificate.c.
◆ ikeValidateCertificate()
error_t ikeValidateCertificate | ( | IkeSaEntry * | sa, |
IpsecPadEntry * | padEntry, | ||
const X509CertInfo * | certInfo, | ||
uint_t | pathLen | ||
) |
Verify certificate against root CAs.
- Parameters
-
[in] sa Pointer to the IKE SA [in] padEntry Pointer to the PAD entry [in] certInfo X.509 certificate to be verified [in] pathLen Certificate path length
- Returns
- Error code
Definition at line 654 of file ike_certificate.c.